Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kalamar / a8f87cc5c5272ceb4d9d86ba7ecff09e369d49d7^! / . / t / plugin / auth-oauth.t
commita8f87cc5c5272ceb4d9d86ba7ecff09e369d49d7[log] [tgz]
authorAkron <nils@diewald-online.de>Thu Feb 23 12:21:30 2023 +0100
committerAkron <nils@diewald-online.de>Thu Feb 23 14:12:29 2023 +0100
treeee6244e8b3f58bbfdde90880b5b888f4d536a041
parent346b67dcb8404fffc8328a0c16cc5befdef320f7 [diff] [blame]
Do not follow redirects on authorization requests (fixes #195)

Change-Id: Idba831398cfa7c51fb8f56e55c5265234a0d4652

diff --git a/t/plugin/auth-oauth.t b/t/plugin/auth-oauth.t
index 9deec0e..dfe9fc0 100644
--- a/t/plugin/auth-oauth.t
+++ b/t/plugin/auth-oauth.t

@@ -1019,16 +1019,27 @@
   ->header_is('location', '/settings/oauth?error_description=Bad+CSRF+token')
   ;
 
+
+my $local_port = $t->get_ok('/')->tx->local_port;
+my $remote_port = $t->get_ok('/')->tx->remote_port;
+
+like($local_port, qr!^\d+$!);
+like($remote_port, qr!^\d+$!);
+
+my $port = $remote_port;
+
+my $redirect_url_fakeapi = $t->app->close_redirect_to(Mojo::URL->new('http://localhost:' . $port)->path($fake_backend_app->url_for('return_uri'))->to_abs->to_string);
+
 $fwd = $t->post_ok(Mojo::URL->new('/settings/oauth/authorize')->query({
   client_id => 'xyz',
   state => 'abcde',
   scope => 'search match',
-  redirect_uri_server => 'http://example.com/',
-  redirect_uri => $fake_backend_app->url_for('return_uri')->to_abs,
+  redirect_uri_server => 'http://localhost:'.$port,
+  redirect_uri => "$redirect_url_fakeapi",
   csrf_token => $csrf,
 }))
   ->status_is(302)
-  ->header_like('location', qr!/realapi/fakeclient/return!)
+  ->header_like('location', qr!^http://localhost:\d+/realapi/fakeclient/return\?code=.+$!)
   ->tx->res->headers->header('location')
   ;
 
@@ -1037,6 +1048,28 @@
   ->content_like(qr'welcome back! \[(.+?)\]')
   ;
 
+my $fake_port = $port;
+
+while ($fake_port == $remote_port || $fake_port == $local_port) {
+  $fake_port++;
+};
+
+$redirect_url_fakeapi = $t->app->close_redirect_to(Mojo::URL->new('http://localhost:' . $fake_port)->path($fake_backend_app->url_for('return_uri'))->to_abs->to_string);
+
+$fwd = $t->post_ok(Mojo::URL->new('/settings/oauth/authorize')->query({
+  client_id => 'xyz',
+  state => 'abcde',
+  scope => 'search match',
+  redirect_uri_server => 'http://localhost:'.$port,
+  redirect_uri => "$redirect_url_fakeapi",
+  csrf_token => $csrf,
+}))
+  ->status_is(302)
+  ->header_unlike('location', qr!^http://localhost:\d+/realapi/fakeclient/return\?error_description=Connection\+refused$!)
+  ->header_like('location', qr!^http://localhost:\d+/realapi/fakeclient/return\?code=.+?$!)
+  ->tx->res->headers->header('location')
+  ;
+
 $t->post_ok(Mojo::URL->new('/settings/oauth/authorize')->query({
   client_id => 'xyz',
   state => 'abcde',